Members of the OpenBSD project, already known for the OpenBSD operating system and related projects such as OpenSSH, OpenBGPD, OpenNTPD, OpenSMTPD, are creating a fork of the OpenSSL project, likely to be called LibreSSL. (OpenSSL and OpenBSD are completely separate projects with different people working on them.)

Apparently, the focus is not so much on taking OpenSSL into a completely different direction, but more on a massive code cleanup and long-overdue maintenance.

I am ever grateful for the quality work that OpenBSD does, not just for openbsd but for the wider open ecosystem.

Without distracting from this much needec cleanup - one does have to ask - how did this happen? What lessons are there to be learned?

I think this "inquiry" and "report" shouldn't be done just in forum posts ,... but taken much more seriously with a much publicised review and report, funded and resourced properly - especially by those huge organisations (eg redhat but others too) who can afford, and can't afford not to, do that.

So many products depend on openssl code.... it is important for the industry to understand what and how things went wrong for openssl.

The open ecosystem is always much more honest with itself than closed commercial software - and it will benefit hugely from such a review.

If I was cisco, redhat, sony, etc ... I'd be supporting such a coordinated review and lessons learned. I'd be surprised if an outcome wasn't better funding for such important code.